如何使用最新的 Azure SDK .NET API v12 在 Blob 上获取共享访问签名?
How to get a Shared Access Signature on a Blob using the latest Azure SDK .NET API v12?
我曾经能够使用 v11 Azure SDK API 在 Blob 上创建共享访问签名,如下所示:
var containerName = "mycontainer";
var blobName = "myblob";
CloudStorageAccount storageAccount
= CloudStorageAccount.Parse(<StorageConnectionString>);
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
SharedAccessBlobPermissions permission = SharedAccessBlobPermissions.Read;
TimeSpan clockSkew = TimeSpan.FromMinutes(15d);
TimeSpan accessDuration = TimeSpan.FromMinutes(15d);
var blobSAS = new SharedAccessBlobPolicy
{
SharedAccessStartTime = DateTime.UtcNow.Subtract(clockSkew),
SharedAccessExpiryTime = DateTime.UtcNow.Add(accessDuration) + clockSkew,
Permissions = permissions
};
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
string sasBlobToken = blob.GetSharedAccessSignature(blobSAS);
...
我想使用最新的 v12 .NET API,它似乎将 CloudBlobClient 替换为 BlobServiceClient,将 CloudBlobContainer 替换为 BlobContainerClient 和 CloudBlockBlob 通过 BlobClient。
然而,在 CloudBlockBlob 实例上可用的方法 GetSharedAccessSignature 在 BlobClient 实例上不可用。
问题
如何使用最新的 Azure SDK .NET API v12 从 BlobClient 实例获取共享访问签名?
Sajeetharan 的回答让我寻找 BlobSasBuilder class,它确实存在。
以下是我如何在服务器上构建一个:
// Creates a client to the BlobService using the connection string.
var blobServiceClient = new BlobServiceClient(storageConnectionString);
// Gets a reference to the container.
var blobContainerClient = blobServiceClient.GetBlobContainerClient(<ContainerName>);
// Gets a reference to the blob in the container
BlobClient blobClient = containerClient.GetBlobClient(<BlobName>);
// Defines the resource being accessed and for how long the access is allowed.
var blobSasBuilder = new BlobSasBuilder
{
StartsOn = DateTime.UtcNow.Subtract(clockSkew),
ExpiresOn = DateTime.UtcNow.Add(accessDuration) + clockSkew,
BlobContainerName = <ContainerName>,
BlobName = <BlobName>,
};
// Defines the type of permission.
blobSasBuilder.SetPermissions(BlobSasPermissions.Write);
// Builds an instance of StorageSharedKeyCredential
var storageSharedKeyCredential = new StorageSharedKeyCredential(<AccountName>, <AccountKey>);
// Builds the Sas URI.
BlobSasQueryParameters sasQueryParameters = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential);
以下是如何在客户端使用它:
// Builds the URI to the blob storage.
UriBuilder fullUri = new UriBuilder()
{
Scheme = "https",
Host = string.Format("{0}.blob.core.windows.net", <AccountName>),
Path = string.Format("{0}/{1}", <ContainerName>, <BlobName>),
Query = sasQueryParameters.ToString()
};
// Get an instance of BlobClient using the URI.
var blobClient = new BlobClient(fullUri.Uri, null);
// Upload stuff in the blob.
await blobClient.UploadAsync(stream);
附录
正如@one2012 在评论中提到的,a page has been put up few months later 在这个答案之后展示了在 Azure.Storage 命名空间中找到的所有特性。 link 可用于获取更多信息。
更新
在服务器端,我有一个 Azure 函数,它现在将 Azure 存储与函数的托管标识连接起来。当我连接存储时,我不再使用帐户,只使用存储的端点:
BlobContainerClient blobContainerClient = new(new Uri(containerEndpoint), new DefaultAzureCredential());
这使得初始服务器代码中的以下部分有点棘手,因为我曾经使用 CloudStorageAccount.Credentials.GetExportKeys() 方法来获取帐户的密钥。使用托管身份时,我似乎无法再访问它了:
// Builds an instance of StorageSharedKeyCredential
var storageSharedKeyCredential = new StorageSharedKeyCredential(<AccountName>, <AccountKey>);
原来我必须使用 User Delegation 来构建 SAS Uri:
...
BlobServiceClient blobServiceClient = blobClient.GetParentBlobContainerClient().GetParentBlobServiceClient();
UserDelegationKey userDelegationKey = await blobServiceClient.GetUserDelegationKeyAsync
(
DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow.AddMinutes(5d)
);
BlobUriBuilder blobUriBuilder = new (blobClient.Uri)
{
// Specify the user delegation key.
Sas = blobSasBuilder.ToSasQueryParameters(userDelegationKey, blobServiceClient.AccountName)
};
string uri = blobUriBuilder.ToUri();
使用适用于 .NET 的 Azure Blob 存储客户端库 v12:
BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
BlobContainerName = blobContainerName,
BlobName = blobName,
Resource = "b", //b = blob, c = container
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(lifetimeMinutes)
};
blobSasBuilder.SetPermissions(BlobSasPermissions.Read);
StorageSharedKeyCredential storageSharedKeyCredential = new StorageSharedKeyCredential(accountName, accountKey);
string sas = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential).ToString();
private string BuildSASUri(BlobClient blob)
{
// Create a user SAS that only allows reading for a minute
BlobSasBuilder sas = new BlobSasBuilder
{
BlobContainerName = blob.BlobContainerName,
BlobName = blob.Name,
Resource = "b",
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(1)
};
// Allow read access
sas.SetPermissions(BlobSasPermissions.Read);
var storageSharedKeyCredential = new StorageSharedKeyCredential(
_iconfiguration.GetValue<string>("StorageAccount:AccountName"),
_iconfiguration.GetValue<string>("StorageAccount:AccountKey")
);
return sas.ToSasQueryParameters(storageSharedKeyCredential).ToString();
}
以上是我的工作代码。
但是,我不知道如何使用 V12 创建存储访问策略。应该是这样的:https://docs.microsoft.com/en-us/dotnet/api/azure.storage.blobs.blobcontainerclient.setaccesspolicy?view=azure-dotnet
但我认为微软完全忘记了提供创建 BlobSignedIdentifier 的方法。
它使用 Microsoft.Azure.Storage.Blob,但 https://www.nuget.org/packages/Microsoft.Azure.Storage.Blob/ 说不要再使用它了。
经过大量搜索,我找到了一些关于此的 Microsoft 文档:https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet
此详细信息使用用户委托密钥而不是帐户密钥生成 SAS,但更改只是对 .ToSasQueryParameters() 的不同重载,如其他答案中所述。
文章中的一些关键片段将其联系起来。首先创建您的 BlobServiceClient:
// Construct the blob endpoint from the account name.
string blobEndpoint = string.Format("https://{0}.blob.core.windows.net", accountName);
// Create a new Blob service client with Azure AD credentials.
BlobServiceClient blobClient = new BlobServiceClient(new Uri(blobEndpoint),
new DefaultAzureCredential());
获取用户委托密钥,这将用于生成 SAS:
// Get a user delegation key for the Blob service that's valid for seven days.
// You can use the key to generate any number of shared access signatures over the lifetime of the key.
UserDelegationKey key = await blobClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow.AddDays(7));
最后创建 SAS URI:
// Create a SAS token that's valid for one hour.
BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerName,
BlobName = blobName,
Resource = "b",
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};
// Specify read permissions for the SAS.
sasBuilder.SetPermissions(BlobSasPermissions.Read);
// Use the key to get the SAS token.
string sasToken = sasBuilder.ToSasQueryParameters(key, accountName).ToString();
// Construct the full URI, including the SAS token.
UriBuilder fullUri = new UriBuilder()
{
Scheme = "https",
Host = string.Format("{0}.blob.core.windows.net", accountName),
Path = string.Format("{0}/{1}", containerName, blobName),
Query = sasToken
};
使用适用于 .NET 的 Azure Blob 存储客户端库 v12:
BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
BlobContainerName = blobContainerName,
BlobName = blobName,
Resource = "b", //b = blob, c = container
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(lifetimeMinutes)
};
blobSasBuilder.SetPermissions(BlobSasPermissions.Read);
StorageSharedKeyCredential storageSharedKeyCredential = new StorageSharedKeyCredential(accountName, accountKey);
string sas = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential).ToString();
如果必须根据分配给容器的访问策略生成共享访问签名(SAS 令牌),则使用以下方法
BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
BlobContainerName = blobContainerName,
BlobName = blobName,
Resource = "b", //b = blob, c = container
Identifier = "ReadOnlyPolicy" //string value referees to the access policy created and assigned to the container.
};
StorageSharedKeyCredential storageSharedKeyCredential = new StorageSharedKeyCredential(accountName, accountKey);
string sas = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential).ToString();
注意:当 SAS 令牌生成基于分配给容器的访问策略时,您将无法在 BlobSasBuilder 中定义权限、开始或结束时间。您将获得运行时异常 "Access policy fields can be associated with signature or SAS identifier but not both"
此处:https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature 说明 Azure 存储支持三种不同类型的共享访问签名 (SAS):
- 帐户级别 SAS,这是您在 v11 SDK 中使用的。此处的详细信息和示例:https://docs.microsoft.com/en-us/azure/storage/common/storage-account-sas-create-dotnet
- 服务级别 SAS,使用 v12(和 V11)SDK。此处的详细信息和示例:https://docs.microsoft.com/en-us/azure/storage/blobs/sas-service-create?tabs=dotnet
- 用户委托 SAS,这是 Microsoft 推荐的方法,前提是您可以使用 Azure Active Directory 用户签署反对使用 v12 SDK。此处的详细信息和示例:https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet
1 和 2 都使用帐户的共享密钥生成 SAS 令牌,而 3 使用从 AAD 帐户用户生成的密钥,因此更安全并且更容易在需要时(理论上)进行撤销。参见 https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#:~:text=Authorization%20of%20a%20user%20delegation%20SAS,-When%20a%20client&text=This%20approach%20provides%20an%20additional,is%20a%20security%20best%20practice。有关 为什么 的更多详细信息,这更安全(“这种方法提供了额外的安全级别,并且避免了将您的帐户访问密钥与您的应用程序代码一起存储的需要。出于这些原因,创建一个使用 Azure AD 凭据的 SAS 是一种安全最佳实践。”)
现在所有的存储帐户都支持使用,但我的印象是帐户级别不支持实现 ] 在 v12 SDK 中(我在猜测 - 所以不要引用我的话,但我也找不到这个)或者有一些其他隐藏的方法可以做到这一点(当然 BlobSasBuilder.ToSasQueryParameters() 方法只有两个重载),我想这会使用户委托或服务级别方法成为您现在 打算 实施的方法。
我曾经能够使用 v11 Azure SDK API 在 Blob 上创建共享访问签名,如下所示:
var containerName = "mycontainer";
var blobName = "myblob";
CloudStorageAccount storageAccount
= CloudStorageAccount.Parse(<StorageConnectionString>);
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
CloudBlobContainer container = blobClient.GetContainerReference(containerName);
SharedAccessBlobPermissions permission = SharedAccessBlobPermissions.Read;
TimeSpan clockSkew = TimeSpan.FromMinutes(15d);
TimeSpan accessDuration = TimeSpan.FromMinutes(15d);
var blobSAS = new SharedAccessBlobPolicy
{
SharedAccessStartTime = DateTime.UtcNow.Subtract(clockSkew),
SharedAccessExpiryTime = DateTime.UtcNow.Add(accessDuration) + clockSkew,
Permissions = permissions
};
CloudBlockBlob blob = container.GetBlockBlobReference(blobName);
string sasBlobToken = blob.GetSharedAccessSignature(blobSAS);
...
我想使用最新的 v12 .NET API,它似乎将 CloudBlobClient 替换为 BlobServiceClient,将 CloudBlobContainer 替换为 BlobContainerClient 和 CloudBlockBlob 通过 BlobClient。
然而,在 CloudBlockBlob 实例上可用的方法 GetSharedAccessSignature 在 BlobClient 实例上不可用。
问题
如何使用最新的 Azure SDK .NET API v12 从 BlobClient 实例获取共享访问签名?
Sajeetharan 的回答让我寻找 BlobSasBuilder class,它确实存在。
以下是我如何在服务器上构建一个:
// Creates a client to the BlobService using the connection string.
var blobServiceClient = new BlobServiceClient(storageConnectionString);
// Gets a reference to the container.
var blobContainerClient = blobServiceClient.GetBlobContainerClient(<ContainerName>);
// Gets a reference to the blob in the container
BlobClient blobClient = containerClient.GetBlobClient(<BlobName>);
// Defines the resource being accessed and for how long the access is allowed.
var blobSasBuilder = new BlobSasBuilder
{
StartsOn = DateTime.UtcNow.Subtract(clockSkew),
ExpiresOn = DateTime.UtcNow.Add(accessDuration) + clockSkew,
BlobContainerName = <ContainerName>,
BlobName = <BlobName>,
};
// Defines the type of permission.
blobSasBuilder.SetPermissions(BlobSasPermissions.Write);
// Builds an instance of StorageSharedKeyCredential
var storageSharedKeyCredential = new StorageSharedKeyCredential(<AccountName>, <AccountKey>);
// Builds the Sas URI.
BlobSasQueryParameters sasQueryParameters = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential);
以下是如何在客户端使用它:
// Builds the URI to the blob storage.
UriBuilder fullUri = new UriBuilder()
{
Scheme = "https",
Host = string.Format("{0}.blob.core.windows.net", <AccountName>),
Path = string.Format("{0}/{1}", <ContainerName>, <BlobName>),
Query = sasQueryParameters.ToString()
};
// Get an instance of BlobClient using the URI.
var blobClient = new BlobClient(fullUri.Uri, null);
// Upload stuff in the blob.
await blobClient.UploadAsync(stream);
附录
正如@one2012 在评论中提到的,a page has been put up few months later 在这个答案之后展示了在 Azure.Storage 命名空间中找到的所有特性。 link 可用于获取更多信息。
更新
在服务器端,我有一个 Azure 函数,它现在将 Azure 存储与函数的托管标识连接起来。当我连接存储时,我不再使用帐户,只使用存储的端点:
BlobContainerClient blobContainerClient = new(new Uri(containerEndpoint), new DefaultAzureCredential());
这使得初始服务器代码中的以下部分有点棘手,因为我曾经使用 CloudStorageAccount.Credentials.GetExportKeys() 方法来获取帐户的密钥。使用托管身份时,我似乎无法再访问它了:
// Builds an instance of StorageSharedKeyCredential
var storageSharedKeyCredential = new StorageSharedKeyCredential(<AccountName>, <AccountKey>);
原来我必须使用 User Delegation 来构建 SAS Uri:
...
BlobServiceClient blobServiceClient = blobClient.GetParentBlobContainerClient().GetParentBlobServiceClient();
UserDelegationKey userDelegationKey = await blobServiceClient.GetUserDelegationKeyAsync
(
DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow.AddMinutes(5d)
);
BlobUriBuilder blobUriBuilder = new (blobClient.Uri)
{
// Specify the user delegation key.
Sas = blobSasBuilder.ToSasQueryParameters(userDelegationKey, blobServiceClient.AccountName)
};
string uri = blobUriBuilder.ToUri();
使用适用于 .NET 的 Azure Blob 存储客户端库 v12:
BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
BlobContainerName = blobContainerName,
BlobName = blobName,
Resource = "b", //b = blob, c = container
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(lifetimeMinutes)
};
blobSasBuilder.SetPermissions(BlobSasPermissions.Read);
StorageSharedKeyCredential storageSharedKeyCredential = new StorageSharedKeyCredential(accountName, accountKey);
string sas = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential).ToString();
private string BuildSASUri(BlobClient blob)
{
// Create a user SAS that only allows reading for a minute
BlobSasBuilder sas = new BlobSasBuilder
{
BlobContainerName = blob.BlobContainerName,
BlobName = blob.Name,
Resource = "b",
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(1)
};
// Allow read access
sas.SetPermissions(BlobSasPermissions.Read);
var storageSharedKeyCredential = new StorageSharedKeyCredential(
_iconfiguration.GetValue<string>("StorageAccount:AccountName"),
_iconfiguration.GetValue<string>("StorageAccount:AccountKey")
);
return sas.ToSasQueryParameters(storageSharedKeyCredential).ToString();
}
以上是我的工作代码。
但是,我不知道如何使用 V12 创建存储访问策略。应该是这样的:https://docs.microsoft.com/en-us/dotnet/api/azure.storage.blobs.blobcontainerclient.setaccesspolicy?view=azure-dotnet
但我认为微软完全忘记了提供创建 BlobSignedIdentifier 的方法。
它使用 Microsoft.Azure.Storage.Blob,但 https://www.nuget.org/packages/Microsoft.Azure.Storage.Blob/ 说不要再使用它了。
经过大量搜索,我找到了一些关于此的 Microsoft 文档:https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet
此详细信息使用用户委托密钥而不是帐户密钥生成 SAS,但更改只是对 .ToSasQueryParameters() 的不同重载,如其他答案中所述。
文章中的一些关键片段将其联系起来。首先创建您的 BlobServiceClient:
// Construct the blob endpoint from the account name.
string blobEndpoint = string.Format("https://{0}.blob.core.windows.net", accountName);
// Create a new Blob service client with Azure AD credentials.
BlobServiceClient blobClient = new BlobServiceClient(new Uri(blobEndpoint),
new DefaultAzureCredential());
获取用户委托密钥,这将用于生成 SAS:
// Get a user delegation key for the Blob service that's valid for seven days.
// You can use the key to generate any number of shared access signatures over the lifetime of the key.
UserDelegationKey key = await blobClient.GetUserDelegationKeyAsync(DateTimeOffset.UtcNow,
DateTimeOffset.UtcNow.AddDays(7));
最后创建 SAS URI:
// Create a SAS token that's valid for one hour.
BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
BlobContainerName = containerName,
BlobName = blobName,
Resource = "b",
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};
// Specify read permissions for the SAS.
sasBuilder.SetPermissions(BlobSasPermissions.Read);
// Use the key to get the SAS token.
string sasToken = sasBuilder.ToSasQueryParameters(key, accountName).ToString();
// Construct the full URI, including the SAS token.
UriBuilder fullUri = new UriBuilder()
{
Scheme = "https",
Host = string.Format("{0}.blob.core.windows.net", accountName),
Path = string.Format("{0}/{1}", containerName, blobName),
Query = sasToken
};
使用适用于 .NET 的 Azure Blob 存储客户端库 v12:
BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
BlobContainerName = blobContainerName,
BlobName = blobName,
Resource = "b", //b = blob, c = container
StartsOn = DateTimeOffset.UtcNow,
ExpiresOn = DateTimeOffset.UtcNow.AddMinutes(lifetimeMinutes)
};
blobSasBuilder.SetPermissions(BlobSasPermissions.Read);
StorageSharedKeyCredential storageSharedKeyCredential = new StorageSharedKeyCredential(accountName, accountKey);
string sas = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential).ToString();
如果必须根据分配给容器的访问策略生成共享访问签名(SAS 令牌),则使用以下方法
BlobSasBuilder blobSasBuilder = new BlobSasBuilder()
{
BlobContainerName = blobContainerName,
BlobName = blobName,
Resource = "b", //b = blob, c = container
Identifier = "ReadOnlyPolicy" //string value referees to the access policy created and assigned to the container.
};
StorageSharedKeyCredential storageSharedKeyCredential = new StorageSharedKeyCredential(accountName, accountKey);
string sas = blobSasBuilder.ToSasQueryParameters(storageSharedKeyCredential).ToString();
注意:当 SAS 令牌生成基于分配给容器的访问策略时,您将无法在 BlobSasBuilder 中定义权限、开始或结束时间。您将获得运行时异常 "Access policy fields can be associated with signature or SAS identifier but not both"
此处:https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature 说明 Azure 存储支持三种不同类型的共享访问签名 (SAS):
- 帐户级别 SAS,这是您在 v11 SDK 中使用的。此处的详细信息和示例:https://docs.microsoft.com/en-us/azure/storage/common/storage-account-sas-create-dotnet
- 服务级别 SAS,使用 v12(和 V11)SDK。此处的详细信息和示例:https://docs.microsoft.com/en-us/azure/storage/blobs/sas-service-create?tabs=dotnet
- 用户委托 SAS,这是 Microsoft 推荐的方法,前提是您可以使用 Azure Active Directory 用户签署反对使用 v12 SDK。此处的详细信息和示例:https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-dotnet
1 和 2 都使用帐户的共享密钥生成 SAS 令牌,而 3 使用从 AAD 帐户用户生成的密钥,因此更安全并且更容易在需要时(理论上)进行撤销。参见 https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas#:~:text=Authorization%20of%20a%20user%20delegation%20SAS,-When%20a%20client&text=This%20approach%20provides%20an%20additional,is%20a%20security%20best%20practice。有关 为什么 的更多详细信息,这更安全(“这种方法提供了额外的安全级别,并且避免了将您的帐户访问密钥与您的应用程序代码一起存储的需要。出于这些原因,创建一个使用 Azure AD 凭据的 SAS 是一种安全最佳实践。”)
现在所有的存储帐户都支持使用,但我的印象是帐户级别不支持实现 ] 在 v12 SDK 中(我在猜测 - 所以不要引用我的话,但我也找不到这个)或者有一些其他隐藏的方法可以做到这一点(当然 BlobSasBuilder.ToSasQueryParameters() 方法只有两个重载),我想这会使用户委托或服务级别方法成为您现在 打算 实施的方法。